resource "aws_vpc" "main" {
  cidr_block       = "${var.target_cidr_block}"
  instance_tenancy = "default"
  enable_dns_support = true
  enable_dns_hostnames  = true 
  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_subnet" "main" {
  vpc_id     = aws_vpc.main.id
  cidr_block = "${var.target_cidr_block}"

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_instance" "web" {
  ami           = "ami-0cff7528ff583bf9a"
  instance_type = "t2.micro"
  private_ip = "${var.target_ip}"
  associate_public_ip_address = true
  subnet_id = "${aws_subnet.main.id}"
  iam_instance_profile = "${aws_iam_instance_profile.ec2_instance_profile.name}"
  vpc_security_group_ids = ["${aws_security_group.vpc_exploit.id}"]
  user_data = <<EOF
#!/bin/bash

for home in /home/* /root; do
  mkdir -p "$${home}/.aws"
  echo '
[profile default]
region=us-east-1
sts_regional_endpoints=regional
'> "$${home}/.aws/config"
done
EOF

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_iam_instance_profile" "ec2_instance_profile" {
  name = "ec2_instance_profile"
  role = aws_iam_role.ec2_instance_profile_role.name
  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_iam_role" "ec2_instance_profile_role" {
  name = "ec2_instance_profile_role"
  path = "/"
  tags = {
    Name = "vpc_exploit"
  }
  assume_role_policy = <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Principal": {
               "Service": "ec2.amazonaws.com"
            },
            "Effect": "Allow",
            "Sid": ""
        }
    ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "admin" {
  role       = aws_iam_role.ec2_instance_profile_role.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

resource "aws_iam_role_policy_attachment" "ssm_policy_core" {
  role       = aws_iam_role.ec2_instance_profile_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

resource "aws_iam_role_policy_attachment" "cloudwatch_agent_server_policy" {
  role       = aws_iam_role.ec2_instance_profile_role.name
  policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
}

resource "aws_vpc_endpoint" "sts" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.sts"
  vpc_endpoint_type = "Interface"
  private_dns_enabled = true
  subnet_ids = ["${aws_subnet.main.id}"]
  security_group_ids = [
    aws_security_group.vpc_exploit.id,
  ]

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_vpc_endpoint" "secretsmanager" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.secretsmanager"
  vpc_endpoint_type = "Interface"
  private_dns_enabled = true
  subnet_ids = ["${aws_subnet.main.id}"]
  security_group_ids = [
    aws_security_group.vpc_exploit.id,
  ]

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_vpc_endpoint" "ssm" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.ssm"
  vpc_endpoint_type = "Interface"
  subnet_ids = ["${aws_subnet.main.id}"]
  private_dns_enabled = true
  security_group_ids = [
    aws_security_group.vpc_exploit.id,
  ]

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_vpc_endpoint" "ec2messages" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.ec2messages"
  vpc_endpoint_type = "Interface"
  subnet_ids = ["${aws_subnet.main.id}"]
  private_dns_enabled = true
  security_group_ids = [
    aws_security_group.vpc_exploit.id,
  ]

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_vpc_endpoint" "ec2" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.ec2"
  vpc_endpoint_type = "Interface"
  subnet_ids = ["${aws_subnet.main.id}"]
  private_dns_enabled = true
  security_group_ids = [
    aws_security_group.vpc_exploit.id,
  ]

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_vpc_endpoint" "ssmmessages" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.ssmmessages"
  vpc_endpoint_type = "Interface"
  subnet_ids = ["${aws_subnet.main.id}"]
  private_dns_enabled = true
  security_group_ids = [
    aws_security_group.vpc_exploit.id,
  ]

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_vpc_endpoint" "logs" {
  vpc_id       = aws_vpc.main.id
  service_name = "com.amazonaws.${var.region}.logs"
  vpc_endpoint_type = "Interface"
  subnet_ids = ["${aws_subnet.main.id}"]
  private_dns_enabled = true
  security_group_ids = [
    aws_security_group.vpc_exploit.id,
  ]

  tags = {
    Name = "vpc_exploit"
  }
}

resource "aws_security_group" "vpc_exploit" {
  name        = "vpc_exploit"
  description = "Allow ssh inbound traffic"
  vpc_id      = aws_vpc.main.id

  ingress {
    description      = "SSH"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  egress {
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  tags = {
    Name = "vpc_exploit"
  }
}
